Privacy Policy

Yasoly (operated as an electronic intermediary platform in the Arab Republic of Egypt under the brand "Yasoly" / "ياسولي", accessible at yasoly.com) is committed to safeguarding the privacy, confidentiality, and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you browse our public showcase website, use our mobile applications, or interact with the Yasoly delivery ecosystem (food, groceries, pharmacies, e-commerce, and parcel delivery services).

This Policy is issued in compliance with the Egyptian Personal Data Protection Law No. 151 of 2020 (PDPL) and its Executive Regulations, and aligns with the principles of the EU General Data Protection Regulation (GDPR) — including Article 5 (data processing principles), Article 6 (lawful basis for processing), Articles 13 and 14 (information to be provided to data subjects), and Article 33 (notification of personal data breaches). By using Yasoly, you acknowledge that you have read and understood this Policy.

1. Data Controller Identity and Contact

The data controller responsible for processing your personal data is the Yasoly platform, operating in the Arab Republic of Egypt. Yasoly determines the purposes and means of personal data processing and is accountable for compliance with the PDPL and applicable Egyptian law.

For all privacy inquiries, data subject rights requests, or breach notifications, please contact our Data Protection Office at: dpo@yasoly.com

For general technical support, contact: support@yasoly.com

2. Categories of Personal Data We Collect

To deliver our services, Yasoly collects the following categories of personal data:

2.1 Identity and Contact Data

Full name as provided during registration or order placement
Mobile phone number (used for verification, order updates, and communication with merchants and drivers)
Email address
Date of birth (for age verification — Yasoly is restricted to users 18+)

2.2 Identity Verification (KYC) Data — Vendor and Driver Onboarding

National ID number and scanned national ID document (front and back)
Commercial registration certificate, tax card, and operating license (for vendors)
Driving license and vehicle registration (for delivery drivers)
Bank account or mobile wallet details for payouts

2.3 Geolocation Data

Precise GPS location (collected only when you explicitly grant device permission)
Approximate location derived from IP address (used to suggest your service zone)
Saved delivery addresses

2.4 Transaction and Order Data

Order history, items purchased, order value, and merchant identity
Payment method used (cash on delivery, card, mobile wallet — full card numbers are never stored by Yasoly)
Delivery confirmation timestamps and recipient name

2.5 Device, Technical, and Browser Data

Device type, operating system, application version
Browser type and version, screen resolution, and language preference
IP address and approximate connection origin
Browser fingerprint (used for fraud prevention and session integrity)
Cookie identifiers and consent state

2.6 Communication Metadata

In-app chat messages between users, merchants, and drivers
Customer support correspondence
SMS, email, and push notification delivery status

2.7 Marketing Preferences

Promotional consent state (opt-in / opt-out for marketing emails, SMS, and push notifications)
Engagement metrics with promotional content (open, click, dismiss)

3. Lawful Basis for Processing

In compliance with PDPL Article 6 and GDPR Article 6, Yasoly processes your personal data only when one of the following lawful bases applies:

Processing Purpose	Lawful Basis
Account creation, order placement, delivery fulfillment	Performance of a contract
KYC verification for vendors and drivers	Legal obligation (anti-fraud, tax, commercial regulation)
Marketing communications and personalized offers	Explicit consent (revocable at any time)
Fraud prevention, security monitoring, abuse detection	Legitimate interest
Tax invoicing and accounting record retention	Legal obligation (Egyptian commercial and tax law)
Cookies — essential and security	Strictly necessary (no consent required)
Cookies — functional, analytics, marketing	Explicit consent via cookie banner
Geolocation — precise GPS	Explicit consent at OS-level permission prompt

4. Purposes of Data Processing

Yasoly uses your personal data for the following specific purposes:

Service delivery: facilitating orders, connecting you with merchants and delivery drivers, calculating delivery fees, displaying nearby stores, and processing payments
Order tracking: providing real-time status updates via SMS, push notifications, and in-app messaging
Customer support: responding to inquiries, resolving disputes, and processing refund requests
Fraud prevention and platform security: detecting suspicious activity, blocking abusive accounts, and protecting our infrastructure from cyberattacks
Marketing (with your explicit consent): sending personalized offers, promotional codes, and product recommendations — you can withdraw consent at any time
Service improvement: aggregating anonymized usage statistics to identify usability issues and prioritize new features
Legal compliance: meeting tax, accounting, anti-money-laundering, and consumer protection obligations under Egyptian law

5. Third-Party Processors and Sub-Processors

Yasoly engages a limited set of carefully vetted third-party service providers ("processors") to deliver core platform functions. Each processor is contractually bound to PDPL and GDPR-equivalent confidentiality and security obligations. We disclose them transparently below:

Processor	Role	Data Categories Processed	Jurisdiction
Hetzner Cloud GmbH	Primary application and database hosting	All categories (encrypted at rest)	Germany (European Union)
Cloudflare, Inc.	Content delivery network (CDN), Web Application Firewall (WAF), DDoS protection. Traffic transit only — no application data is stored on Cloudflare	IP address, request metadata	Global edge network
Functional Software, Inc. (Sentry)	Error monitoring and crash reporting (loaded only after you grant analytics consent)	Browser type, error stack traces, anonymized session ID	United States (with EU data-residency option)
Meta Platforms, Inc. (WhatsApp Business API)	Transactional notifications to vendors and customers	Phone number, order status messages	European Union (Ireland) and United States
Google LLC (Google Maps and Places API)	Map rendering, address geocoding, store location display	Approximate geolocation, search queries	European Union and United States
Google LLC (Firebase Cloud Messaging — FCM)	Push notification delivery to mobile applications	Device push token, notification payload	European Union and United States

Future processors: SMS gateway integration may be added as a future fallback channel (currently Yasoly uses WhatsApp Business API only for transactional messaging). Online payment gateway integration may be added in the future for card and wallet processing — Yasoly currently supports cash on delivery and bank transfer methods only. If either category is engaged, this Privacy Policy will be updated to reflect the new processor.

We do not sell, rent, or trade your personal data to advertisers or data brokers. We share your name, phone number, and delivery address with merchants and drivers only as strictly required to fulfill an order you have placed.

6. Cross-Border Data Transfers

Yasoly's primary application servers and databases are hosted by Hetzner Cloud GmbH in data centers located in Germany (European Union). The transfer of personal data from Egypt to Germany is conducted under safeguards equivalent to those required by GDPR Article 45 (adequacy of EU-located processing) and complies with PDPL Article 14 cross-border transfer requirements. Hetzner is contractually bound by our Data Processing Agreement and applicable EU/EEA data protection law.

Limited operational data may also transit through Cloudflare's global edge network and through service providers (Sentry, Google, Meta) whose primary processing centers are in the EU and United States. In all such cases, processors are bound by Standard Contractual Clauses (SCCs) and equivalent safeguards.

7. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes outlined above, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are:

Data Category	Retention Period	Basis
Identity and contact data (active accounts)	For the lifetime of the account, plus 24 months after deletion request	Legal and financial obligations
Order and transaction records	7 years from order date	Egyptian commercial law and tax record-keeping
KYC documents (vendors and drivers)	5 years after partnership termination	Anti-fraud and regulatory obligations
Precise GPS geolocation	Active session only; not retained after order completion	Data minimization principle
Aggregated geolocation analytics	13 months in anonymized form	Service improvement
Marketing consent and preferences	Until withdrawn, plus a 30-day deletion buffer	Consent management
In-app chat messages	12 months from last message	Dispute resolution
Cookies — essential	Session-only or maximum 24 hours	Strictly necessary
Cookies — functional	12 months	User preference persistence
Cookies — analytics	13 months (anonymized)	Service measurement
Cookies — marketing	Currently disabled	Not in use
Server access and security logs	12 months	Fraud prevention and incident response

8. Your Rights as a Data Subject

Under PDPL Article 2 and equivalent GDPR provisions, you have the following rights with respect to your personal data:

Right of access: You may request confirmation of whether we process your personal data and obtain a copy in a readable format
Right to rectification: You may request correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten"): You may request deletion of your personal data when retention is no longer justified by a lawful basis
Right to data portability: You may request your data in a structured, machine-readable format and request transfer to another service provider
Right to object: You may object to processing for direct marketing or profiling at any time
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Right to restrict processing: You may request that we limit processing while a dispute or rectification is pending
Right to lodge a complaint: You may file a complaint with the Personal Data Protection Center if you believe your rights have been violated

To exercise any of these rights, contact us at dpo@yasoly.com. We will endeavor to respond within 30 calendar days from receipt of your verified request, consistent with the response timeframes established under the Executive Regulations of the PDPL. We may request reasonable identity verification before fulfilling sensitive requests.

9. Cookies and Tracking Technologies

Yasoly uses cookies and similar tracking technologies (browser local storage, session storage, pixel tags) to operate the website and improve your experience. We classify cookies into four categories:

9.1 Essential Cookies (always on — no consent required)

Session identifier (used to maintain your browsing context)
Cross-Site Request Forgery (CSRF) protection token
Cookie consent state (records your banner choice)
Security and rate-limit fingerprint

9.2 Functional Cookies (consent-based)

Locale preference (Arabic / English)
Theme preference (light / dark)
Selected service zone
Remembered delivery address

9.3 Analytics Cookies (consent-based)

Cloudflare RUM (Real User Monitoring) for performance measurement
Internal aggregated usage statistics (anonymized)
Sentry error monitoring (loaded only after consent)

9.4 Marketing Cookies (currently disabled)

Yasoly does not currently deploy marketing cookies. Should we introduce them in the future, your explicit opt-in consent will be required before activation.

You can manage your cookie preferences at any time via the "Cookie Preferences" option available in our cookie banner and in the website footer. Browser-level cookie controls also allow you to block or delete cookies, although disabling essential cookies may impair website functionality.

10. Children's Privacy

Yasoly's services are intended for users 18 years of age or older. We do not knowingly collect personal data from minors. If a parent or legal guardian becomes aware that a minor has provided personal data to Yasoly, please contact us at dpo@yasoly.com so we can promptly delete the information.

11. Automated Decision-Making and Profiling

Yasoly uses recommendation algorithms to suggest stores, items, and offers tailored to your interests. These systems do not produce decisions that have legal effects or similarly significant effects on you. We do not engage in fully automated decision-making concerning credit, employment, or other matters that produce legal effects, in line with GDPR Article 22 and the general fundamental-rights protections of the Egyptian PDPL (Article 2). You may object to any profiling activity at any time.

12. Data Security Measures

Yasoly applies layered technical and organizational measures to protect your data:

End-to-end encryption in transit (TLS 1.2 and above) and at rest (AES-256 for sensitive fields)
Web Application Firewall (Cloudflare) and DDoS mitigation at the edge
Strict role-based access control with the principle of least privilege
Multi-factor authentication for all administrative access
Regular security audits, penetration testing, and dependency vulnerability scanning
Encrypted off-site backups with limited retention
Continuous monitoring through Sentry (error reporting) and infrastructure alerting

Breach notification: In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, Yasoly will notify the Personal Data Protection Center within 72 hours of becoming aware of the breach, consistent with PDPL Article 7 and GDPR Article 33 (where applicable to our processing activities). Affected data subjects will be notified directly without undue delay where the breach is likely to result in a high risk to their rights.

13. Vendor and Driver KYC Disclosure

Vendor and driver registration on Yasoly requires submission of national ID documents, commercial licensing, and (for drivers) driving licenses and vehicle registration. These documents are processed solely for identity verification, anti-fraud screening, and regulatory compliance. They are encrypted at rest, retained for 5 years after partnership termination per anti-fraud regulations, and shared only with regulators upon valid legal request.

14. Filing a Complaint with the Personal Data Protection Center

If you believe your data subject rights have been violated and our internal resolution process has not provided a satisfactory remedy, you have the right to file a complaint directly with the Personal Data Protection Center (the supervisory authority designated under PDPL Law 151/2020). We strongly encourage you to contact our Data Protection Office at dpo@yasoly.com first, so we may attempt resolution within a target 30-day window before escalation.

15. Policy Amendments

Yasoly reserves the right to update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. Material changes will be communicated through:

An in-app banner displayed on first launch after the change
An email notification to your registered address (where consent has been provided)
An updated "Last Updated" timestamp at the foot of this page

For material changes affecting the lawful basis or scope of processing, we will provide a 30-day advance notice before the change takes effect. Continued use of Yasoly after the effective date constitutes acceptance of the updated Policy.

16. Contact and Effective Date

Data Protection Office: dpo@yasoly.com
Technical Support: support@yasoly.com
Last Updated: 5 May 2026
Effective Date: 5 May 2026
Jurisdiction: Arab Republic of Egypt